Manager - Technology Risk Management
FGB
Total des années d'expérience :20 years, 3 Mois
Creation of management dashboards, heat maps and report to the senior management, as appropriate and necessary, in accordance with the Bank’s Information Security Program and Policy and applicable regulations.
Member of Computer Security Incident Response Team (CSIRT), participate in developing response plan for cyber-attack. To timely identify and contain security incident and mitigate risk.
Review SLA document for critical IT applications and Infrastructure and highlight variance in RTO / RPO value against business requirement and IT commitment.
Review Offshore Development Center (ODC) against Security baseline at regular intervals and report non-compliance.
Coordinating with third party Vendors for POC, PT, LA and other security activities.
Data Privacy and Protection Policy creation and implementation - DLP monitoring, coordinating, administrating and reporting using Symantec and Web Sense DLP Tools.
Developed & designed Information Security awareness content for the employees and customer using appropriate channels.
Facilitating & assisting in Internal & External regulatory compliance audit like ISO 27001, NESA, MAS & QFCRA etc.
Defining Threat Model and Heat maps to identify the application security risks and controls.
Vulnerability Assessment using Nessus for Patch, Antivirus reviews, Software and user enumeration, virus checks.
Baseline documentations and review using Nessus for different OS, Databases, Security systems like Firewall, Routers, Switches, VPN
Facilitate IT RCSA (Risk Control Self-Assessment) for all IT related critical application (AAA) annually and identified risk events which have weak or no control in place. Present high risk observations in Risk Management committee.
Review system changes from Information security risk perspective during Change Advisory Board (CAB) meeting and recommend controls before implementing change in production environment.
Managed BCMS Implementation project for all the Branches and departments of the bank and achieved ISO22301 certification.
Developed BCMS framework compromises of Policy & procedure, BIA workshops with business units, BC Risk Assessment, Recovery Strategy, BCP Plan created, Exercise and Testing of plan, Training & Awareness and Audit (internal & external)
Develop IT related, risk based audit plans and execute the approved audit plans in IT dept. and in other departments of the banks. Conducted IT General Control, Software License, IT Project, IT Helpdesk and special assignment audit using risk based audit methodology.
Understand business/processes of critical departments and identify potential technology and operational risks and recommend the control to mitigate the risk to acceptable level.
Review the efficiency and effectiveness of operational and application controls and identify gaps and determine whether compliance exists with ISO27001 policies and procedure.
Nominated as a member of Internet Banking Implementation committee to oversee IT risk associated with retail internet banking project.
Nominated as Risk Campion from Audit team to identify key IT risk from audit areas and report Loss Data Management event report to Risk management team.
As part of Audit and Compliance team managed and appraised Anti-Money Laundry system (COMBAT) project implementation as per UAE central bank mandate.
Review Security / access matrix of following banking applications, ICCS, Phoenix Core Banking, CRM, Trade Wind System, e-dhiram G2, UAEASR, UAE DDS and FTS system.
Review of new banking application against best practices and international standards and provide recommendation from IT Risk and Audit area.
Review of IT Escrow contract for core banking system
Evaluated Audit management software (Auto Audit and Team mate)
Consulted Bank in implementing DLP Data Leakage Prevention in complete Bank and its ODCs. Managing end to end of DLP from system to Operation for Bank.
Perform quarterly audit as per ISO 27001 standards.
Maintain Information system Asset (digital & non digital) register.
Perform Risk Assessments and prepare the Risk Treatment plan
Document the Standard Operating Procedures for Information Technology group in line with the requirements of the standard and best practices. Update ISMS documents as and when required.
Provide Information Security awareness training to the employees of bank.
Coordinate surveillance audit with external auditors.
Working on DAM implementation project. Performed RFP and POC for the same.
Perform risk based audits of networks, IT Infrastructure, project implementations, DR programs, software development processes and IT support functions.
Plan and conduct effective meetings with Audit personnel, clients, and other third parties. Maintain effective working relationships at all levels of management in client organizations.
Identify control enhancement / improvement opportunities. Propose possible recommendations to business unit management and seek preliminary buy-in.
Document work performed in organized work papers to meet internal audit standards. Draft assigned sections of audit reports that provide a clear description of issues identified, related implications to the business, and recommendations to resolve the issues.
Vendor Audit for Information system including BCP, data privacy, physical and Information security.
Perform quarterly vulnerability assessment and review of critical servers as per PCI-DSS standards.
Perform Application audit for internal applications using industry best practices (OWASP).
Worked in different domains of Information Security like IT Security Ops, Access Management and IRM. Was member of ISO 27001 Implementation team.
Performed AATR (Access Appropriate to Role) and Job Role creation.
Network Vulnerability assessment: using tools like Nmap, Nessus.
Entrust Security Manager Administration.
Administration of RSA Authentication Manager and Juniper Steel Belted RADIUS.
Prepare and provide MIS and Compliance report to Management.
Provide Information Security and Access Management training to techline team.
People Management: Managed a team size of 8 members. Conducted interviews for eligible candidates and provided training to them and managed Administrative issue and conflict among team members.
Project Management: Managed HR Access management project from end to end. Created procedure documentation and designed access work flow for account creation/ deletion, exception request and quarterly access review process and coordinated with HR department and PMO office to get all approval.
